5

As root, created a new non-root user on RHEL 7.5

appuser:x:1903:1903:appuser:/home/appuser:/bin/bash

A non-root user to be able to sudo to appuser,

sudo -u appuser

without a password,

What are the changes required on RHEL 7.5?

overexchange
  • 1,536
  • That sudo su - appuser is a horrendous security breach: you're giving full root access to the user who has permission to do that. Instead, just give the account permission to get to appuser, so they would sudo -su appuser (here, -su is two flags, -s -u). No need for the su command anywhere. – Chris Davies Oct 29 '18 at 15:01
  • @roaima Query edited. sudo -u syslog does not work. It asks for the password for current user – overexchange Oct 29 '18 at 15:05
  • Of course it does. That's what sudo does. – Chris Davies Oct 29 '18 at 15:28
  • Ugh, I wish people wouldn't give us the security lecture when it's irrelevant to my use case. – Sridhar Sarnobat Feb 26 '20 at 20:09

1 Answers1

9

You can edit the "User privilege specification" section of /etc/sudoers, adding:

non-root-user ALL = (appuser) NOPASSWD: ALL

This will allow non-root-user to run all commands as appuser. non-root-user will not be allowed to run commands as root.

Note that errors in /etc/sudoers can make a system unusable. The file should only be edited with:

$ sudo visudo

This special editor checks the sudoers file for errors before saving and refuses to save it if errors are found.

fra-san
  • 10,205
  • 2
  • 22
  • 43
  • 1
    But -r--r----- 1 root root 1225 Jun 12 12:04 /etc/sudoers. Do you think this is customised permision? – overexchange Oct 29 '18 at 15:50
  • E45 error on modifying the file with vi editor – overexchange Oct 29 '18 at 16:30
  • It looks like -r--r----- is the standard file mode for /etc/sudoers. Refer to my edited answer for how to edit it. – fra-san Oct 29 '18 at 17:18
  • This still gives visudo: /etc/sudoers: Permission denied if I do not have root privileges, so I don't see how this answers the question. – Sridhar Sarnobat Feb 26 '20 at 20:02
  • @SridharSarnobat The sudo visudo part is just a clarification on how to (safely) edit /etc/sudoers, i.e. how to configure the system so that an unprivileged user can authenticate as another unprivileged user without being prompted for a password. That step requires root access, of course (and the OP does have it). Apparently, the question is not about how to configure a non-root user using a non-root user. Does this clear your doubts? – fra-san Feb 26 '20 at 21:40
  • Fair enough, my case isn't quite the same as the OP. I don't have the ability to temporarily use root permissions so I guess I'm out of luck. This seems like a bit of a flaw in Linux's model. – Sridhar Sarnobat Feb 26 '20 at 21:41